c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7

Analysis

max time kernel
140s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe
Size

632KB
MD5

222831dc032b9cd1dad652a777419574
SHA1

37d45f0c42caddf9516b715bbec8db679ff3cff9
SHA256

c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7
SHA512

2f9778d283d5cb7467332924f7fef8e1e576a41fa4c572e6786632444f9aa82de31873e711324170e46cb7bb893ce0fa43e27d7608fa94a40eeecf4dd07a8039
SSDEEP

12288:wRWNcr8oxnLUiPclPA0DCQLsehJA3LQiEorgiYSsrGhtcLQaX:TNBILVIoQCoRJAke1rsrQtsJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe

Executes dropped EXE 2 IoCs

Processes:

UnRAR.exemd5.exe

pid process

364 UnRAR.exe
4572 md5.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4036 4572 WerFault.exe md5.exe

pid	process
364	UnRAR.exe
4572	md5.exe

pid	pid_target	process	target process
4036	4572	WerFault.exe	md5.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.execmd.exe

description	pid	process	target process
PID 4292 wrote to memory of 3620	4292	c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe	cmd.exe
PID 4292 wrote to memory of 3620	4292	c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe	cmd.exe
PID 4292 wrote to memory of 3620	4292	c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe	cmd.exe
PID 3620 wrote to memory of 364	3620	cmd.exe	UnRAR.exe
PID 3620 wrote to memory of 364	3620	cmd.exe	UnRAR.exe
PID 3620 wrote to memory of 364	3620	cmd.exe	UnRAR.exe
PID 3620 wrote to memory of 4572	3620	cmd.exe	md5.exe
PID 3620 wrote to memory of 4572	3620	cmd.exe	md5.exe
PID 3620 wrote to memory of 4572	3620	cmd.exe	md5.exe

C:\Users\Admin\AppData\Local\Temp\c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe
"C:\Users\Admin\AppData\Local\Temp\c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3620

C:\Users\Admin\AppData\Local\Temp\UnRAR.exe
UnRAR.exe e -p83102a md5.rar
3⤵
- Executes dropped EXE
PID:364

C:\Users\Admin\AppData\Local\Temp\md5.exe
md5.exe
3⤵
- Executes dropped EXE
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 600
4⤵
- Program crash
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4572 -ip 4572
1⤵
PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UnRAR.exe
Filesize
299KB

MD5
f9388c6824adabb36596642ebc368db7

SHA1
7cf300de45e497224b4ee3a2891d961bb38cc7a0

SHA256
3a8020a4a16ea37a9d6fac6bbc8345e54dea92c247f4b9d630bc32780faf4dee

SHA512
db0c19d2d8e8d8879095e65f6d2216f32ed29f0832dc53023ac2c1bc3558330e7ad12cee4e74ca5bf6e65c3133b0b6f220eed9bb702e5022808f585bfcf26001

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.bat
Filesize
102B

MD5
d357b49de1eff9c0b92779cc4b976a81

SHA1
0662a967d7b462f7170882eebce4068f7a4c0fac

SHA256
64c2fd677a11e309a5eb51d83eac7295be72ddca5ca234e57c3e49621f0b416d

SHA512
f75903dbc4bad5e0a6b380723dc06047bdbf6da978ee2dd088231dfac761292e2d9bb762e6f5db02e50a0c26dff7836746c110e01381d0c6c1e7bcc1b9e4eeb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\md5.exe
Filesize
423KB

MD5
199962380ea67533cbf4e28873b2444f

SHA1
94794d37c012a2ebff519a5a04cc38b2dd1b51f4

SHA256
551dd2d44ed5c9eea686678c540851abfcccbf8ea12d669c291fc3465e708437

SHA512
de4959fab7e6c0bd9b505b9e4303877bf68a427295257d93d13ea1d4de021c8a172d807f8a824f7d2f70a184b299f503fc450d070997e98ea3294abec2c30677

Download Submit
C:\Users\Admin\AppData\Local\Temp\md5.rar
Filesize
300KB

MD5
e68d6b097b47a80437a47cf4a3125341

SHA1
58bbfffbe452b71dea2df8d72ae9fbfd16d540f7

SHA256
df4ea1e37bbcf10c31548a309334b740e6dd16fd159e14c501ce6eebafe6fe39

SHA512
77264d9b87f11930c42f56cb9cd03419eee0e44ea6965f5ed05f90bb802da6f2fbd0118aeb01780eff44cba26f686a1692286fc57ae22e0305890b7a40b5934a

Download Submit